my digital notebook

Main menu

Tag Archives: sshd

If you’re running Solaris 8 or 9 and an upgrade results in broken SSH X11 forwarding, the problem may be Sun’s socfs bug. The symptom will be SSH’s failure to set the $DISPLAY variable and an error in your system log looking something like this:

For one reason or another RHEL does not disallow incoming ssh connections as root. This is, of course a glaring security problem which should be addressed for all systems that allow ssh connections to be made from any but the most restricted networks.

The best practice, of course, would be to make the initial ssh connection as an unprivileged user and then use the “su” command to promote yourself to root. This way, even if an attacker managed to get into the system, it would be as an unprivileged user and they would not able to do much harm. Allowing incoming ssh connections at root leaves you much more exposed to attack. Granted your root password is still protecting you, but it becomes your only layer of defense.

Ok, so how do we disallow incoming ssh connections as root on our RHEL box?

Many system 5 UNIX variants use scripts in the /etc/rcN.d/ directories to control which services should be started in the various runlevels. If, for instance, you wanted the secure shell daemon to run in runlevel 4, you would put a script named something like “S55sshd” in “/etc/rc4.d”. This script would usually accept the “start” “stop” and “restart” arguments, as well as the commands to perform these functions. When the system came up, it would execute “/etc/rc4.d/S55sshd start” when it transitioned into runlevel 4. On the way down, it would execute “/etc/rc4.d/S55sshd stop” as the system passed from runlevel 4 to runlevel 3. If you had made some changes to the sshd configuration file, and wanted to restart the service, you could manually execute “/etc/rc3.d/sshd restart” to kill and then restart the daemon.

Since this model involved having multiple copies of the same script in many different directories, Linux and others have adopted the standard of putting all service control scripts in “/etc/init.d/”, and using symbolic links to these scripts in the various “/etc/rcN.d/” directories. This allowed for the SGI IRIX innovation of the “chkconfig” command, which is command line tool that manages the symbolic links for you.

How to use “chkconfig” in Red Hat Enterprise Linux:

First, all your service control scripts need to be in the “/etc/init.d/” directory. They should reflect the name of the service they control. In our example, the file is named /etc/init.d/sshd”.

Secondly, they have a tag at the head of the script that looks something like this so that “chkconfig” understands that it can controll it:

The first set of numbers “2345” is are the default runlevels for the service, and “55” and “25” represent the name of the “S” and “K” symbolic links, and the order in which the service will be started and stopped in the respective runlevel. You will need to change these last two numbers, making them unique.

Once these requirements are met, using the command is fairly simple. When we go into /etc/rc3.d, we see a file called “S55sshd”.

chkconfig --list sshd confirms that sshd has now been enabled in runlevels 2, 3, 4 and 5, and we see s symbolic link to “/etc/init.d/sshd” named “S55sshd” in “/etc/rc2.d/”, “/etc/rc3.d/”, “/etc/rc4.d/” and “/etc/rc5.d/”.

Let’s imagine now that we only want sshd to be enabled in runlevel 5. We run the following command to accomplish this: